The Android BitCoin vulnerability explained

20

Aug

2013

Last week Google announced a weakness in the Android platform that left users of certain BitCoin wallet applications at risk and potentially allowing the theft of funds.

Upon further examination, it emerged that the Android implementation of Java SecureRandom class contains a vulnerability that prevents the generation of secure random numbers to protect the wallet applications.

As a result, some signatures have been observed to possess colliding values that allow the private key (designed to protect the money in Bitcoin) to be revealed and money to be stolen.

The security issue is specific to the Android operating system and affects all Android applications that generate private keys on the user’s mobile device.

Technical overview

Since Android was released in 2008, it has used a Java Cryptography Architecture (JCA) that includes a class known as SecureRandom that provides a cryptographically strong random number generator (RNG).

Applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG (Pseudo Random Number Generator).

SecureRandom is supposed to run Android’s OpenSSL PRNG with an entropy seed from /dev/urandom, a protected system root file. But with this exploit, Android applications did not access the urandom file at all, indicating that a truly random seed was not used during the generation process.

The random numbers generated turned out to be less random than expected and may be repeated and therefore are predictable.

Below you can see some of the info Google shared about the vulnerability:

The thieves who abused this vulnerability probably scanned Bitcoin transactions and looked for repeats in the public keys that helped them later to solve the private keys, information that should only be known to the owner of the Android device.

Having the private key, they could then transfer money from the user’s account to a different one.

Below you can see the info shared on BitCoin’s blog about the vulnerability:

It is important to mention that today there are malware families that perform Bitcoin mining (DevilRobber Trojan that targets Mac machines and mines Bitcoins), steal content of the Bitcoin wallet (Coinbit stealer or the case mentioned in this blog post) or launch Distributed Denial Of Service (DDOS) attacks against miners (BackDoor BTmine).

Thieves and malware authors are constantly finding creative ways to steal money so it was just a matter of time until they discovered the bug found in the Android implementation of Java SecureRandom.

For them it’s just another opportunity to swipe virtual cash from unsuspecting users.

Bitcoin is very popular among criminals or the cyber underground for money laundering.

You can anonymously transact and exchange the virtual currency for Dollars, Euros or gold.

Well, it is hard to know as BitCoin has not made any statement and this bug has been around for a long time.

So far, it appears that the vulnerability has been used to steal at least 55 BTC (approximately $5,720).

Is that the first security incident involve with BitCoin?

No, we’ve already seen a few cases in the past relating to the security of BitCoin.

Bitcoin exchange BitFloor closed after virtual heist on September 2012 when nearly a quarter million dollars worth of the peer-to-peer currency was stolen by accessing unencrypted backup wallet keys (https://bitcointalk.org/index.php?topic=105818.0).

Nils Schneider, a researcher, published in his blog how he discovered a potential weakness in some Bitcoin implementations – recovering Bitcoin private keys using weak signatures from the blockchain (http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html ) on December 25th of 2012 which means the pseudo random generators were not truly random or secure so as a result the private keys could be recovered.

“In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.

If you can’t update your Android app, alternatively, you can send your bitcoins to a Bitcoin wallet on your computer until your Android app can be updated. You should make sure not to send back your bitcoins to your old insecure addresses.”